Beware of Phishing Emails Disguised as Money Transfer Confirmations

Beware of Phishing Emails Disguised as Money Transfer Confirmations

Recently, the AhnLab SEcurity intelligence Center (ASEC) identified a case of phishing emails that disguise themselves as payment confirmation notices. These emails impersonate employees of a specific company in Korea and trick recipients into opening a malicious XLS file attached to the email, which is disguised as a payment confirmation notice.

 

[Figure 1] Body of the phishing email

 

When a user downloads and opens the attached XLS file, the contents of a legitimate payment confirmation slip are displayed, as shown in [Figure 2]. This serves as a decoy document designed to lower the user’s suspicion. However, the document contains the CVE-2017-0199 vulnerability, which exploits OLE objects. This vulnerability is a remote code execution (RCE) flaw that exploits the OLE2Link feature in Microsoft Office; when a user opens the document, it automatically accesses an external URL to download and execute additional Malicious Files (such as HTA files). In this case, it downloads and executes a malicious HTA file from the C2 server listed below.

 

HTA Download C2

  • Hxxp://144.172.104[.]196/35/Smallbackpackcomingfromthebestplaces.Hta

 

[Figure 2] Malicious XLS file disguised as a lure

[Figure 3] CVE-2017-0199 vulnerability

 

Once the malicious HTA file is downloaded from the C2 server and executed, it uses the Win32_Process.Create() method of WMI to execute an obfuscated PowerShell script in the background.

 

[Figure 4] Part of the malicious HTA script

 

The decrypted contents of the executed PowerShell script are shown in [Figure 5]. The script downloads a steganographically embedded PNG file from an additional C2 server and then extracts a .NET loader-type malware—encoded in Base64—using the strings “IN-” and “-inl” as markers. It then decrypts this, loads it into memory, and executes it. At this point, the loader operates by receiving the C2 server address—from which it will download the Remcos RAT—as an argument value.

 

Steganographic PNG Download C2

  • Hxxp://blue-paper-f69f[.]Acrypters.Workers.Dev/FTM0-40PO-AO28-G98E/img_qiql6d.Png

 

Remcos RAT Download C2

  • Hxxp://144.172.104[.]196/Vzt/vzt_175159.Cat

 

[Figure 5] Malicious PowerShell script

[Figure 6] Base64 data embedded in a PNG file using steganography

[Figure 7] PNG file with steganography applied

 

Ultimately, the Remcos RAT is malware that receives and executes remote commands on an infected system; it collects system and user information through various functions such as keylogging, screen capture, and file manipulation. The collected information and execution results are transmitted externally via communication with the C2 server.

 

Remcos RAT C2

  • Guhudeolokghguhumandeylikebroemdfhhfhsjj.Duckdns[.]Org:4087

 

[Figure 8] Remcos RAT in final execution

 

Response Guide

 

1. Verify the Sender

  • Verify that the sender’s email address belongs to an official domain.

 

2. Check Hyperlinks and Attachments

  • If the email body prompts you to click on an attached image, check the linked URL first before clicking. Suspicious URLs often redirect to legitimate pages via third-party sites rather than going directly to the official page, so you should examine them carefully. Additionally, if there are attachments, check for suspicious file extensions (.Exe, .Vbs, .Js, etc.).

 

3. Be Cautious When Entering Sensitive Information

  • If you are asked to provide sensitive information, such as login credentials, always verify that the page’s URL is that of the official site before entering any information. If the page is not official, it is highly likely to be a suspicious URL, so caution is required. In particular, check the page’s security certification (HTTPS, padlock icon) before entering sensitive information, and never enter any information if you have any doubts.

MD5

1ae66686d91145b0707c32ff43664f70
2a0f1960fb6338537c3a366daaa28abb
66de4988c67e911479a20a3cd3e4990d
c184f43536a78459acef0082d1a25976
URL

http[:]//144[.]172[.]104[.]196/35/smallbackpackcomingfromthebestplaces[.]hta
https[:]//blue-paper-f69f[.]acrypters[.]workers[.]dev/FTM0-40PO-AO28-G98E/img_qiql6d[.]png

Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.